* [PATCH v2] semanage: handle getprotobyname() failure case
@ 2020-06-05 8:19 Topi Miettinen
2020-06-08 16:18 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Topi Miettinen @ 2020-06-05 8:19 UTC (permalink / raw)
To: selinux; +Cc: Topi Miettinen
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
v2: don't change audit log format
---
python/semanage/seobject.py | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 6e0b87f2..6a14f7b4 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1870,10 +1870,22 @@ class nodeRecords(semanageRecords):
except:
raise ValueError(_("Unknown or missing protocol"))
- return newaddr, newmask, newprotocol
+ try:
+ audit_protocol = socket.getprotobyname(protocol)
+ except:
+ # Entry for "ipv4" not found in /etc/protocols on (at
+ # least) Debian? To ensure audit log compatibility, let's
+ # use the same numeric value as Fedora: 4, which is
+ # actually understood by kernel as IP over IP.
+ if (protocol == "ipv4"):
+ audit_protocol = socket.IPPROTO_IPIP
+ else:
+ raise ValueError(_("Unknown or missing protocol"))
+
+ return newaddr, newmask, newprotocol, audit_protocol
def __add(self, addr, mask, proto, serange, ctype):
- addr, mask, proto = self.validate(addr, mask, proto)
+ addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
if is_mls_enabled == 1:
if serange == "":
@@ -1942,7 +1954,7 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
- self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", ctype, serange))
def add(self, addr, mask, proto, serange, ctype):
self.begin()
@@ -1950,7 +1962,7 @@ class nodeRecords(semanageRecords):
self.commit()
def __modify(self, addr, mask, proto, serange, setype):
- addr, mask, proto = self.validate(addr, mask, proto)
+ addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@@ -1987,7 +1999,7 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
- self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", setype, serange))
def modify(self, addr, mask, proto, serange, setype):
self.begin()
@@ -1995,8 +2007,7 @@ class nodeRecords(semanageRecords):
self.commit()
def __delete(self, addr, mask, proto):
-
- addr, mask, proto = self.validate(addr, mask, proto)
+ addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
if rc < 0:
@@ -2020,7 +2031,7 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
- self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, audit_proto))
def delete(self, addr, mask, proto):
self.begin()
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] semanage: handle getprotobyname() failure case
2020-06-05 8:19 [PATCH v2] semanage: handle getprotobyname() failure case Topi Miettinen
@ 2020-06-08 16:18 ` Stephen Smalley
2020-06-22 12:22 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2020-06-08 16:18 UTC (permalink / raw)
To: Topi Miettinen, linux-audit; +Cc: SElinux list
On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> At least on Debian, /etc/protocols, which is used by
> socket.getprotobyname() to resolve protocols to names, does not
> contain an entry for "ipv4". In that case, set the protocol number
> used by audit logs for "ipv4" to a fixed value. To ensure audit log
> compatibility, let's use the same numeric value as Fedora: 4, which is
> actually understood by kernel as IP over IP.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
This looks fine to me but adding linux-audit mailing list to see if
they have any concerns. It appears to make no change to the audit
messages on Fedora.
> ---
> v2: don't change audit log format
> ---
> python/semanage/seobject.py | 27 +++++++++++++++++++--------
> 1 file changed, 19 insertions(+), 8 deletions(-)
>
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index 6e0b87f2..6a14f7b4 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -1870,10 +1870,22 @@ class nodeRecords(semanageRecords):
> except:
> raise ValueError(_("Unknown or missing protocol"))
>
> - return newaddr, newmask, newprotocol
> + try:
> + audit_protocol = socket.getprotobyname(protocol)
> + except:
> + # Entry for "ipv4" not found in /etc/protocols on (at
> + # least) Debian? To ensure audit log compatibility, let's
> + # use the same numeric value as Fedora: 4, which is
> + # actually understood by kernel as IP over IP.
> + if (protocol == "ipv4"):
> + audit_protocol = socket.IPPROTO_IPIP
> + else:
> + raise ValueError(_("Unknown or missing protocol"))
> +
> + return newaddr, newmask, newprotocol, audit_protocol
>
> def __add(self, addr, mask, proto, serange, ctype):
> - addr, mask, proto = self.validate(addr, mask, proto)
> + addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
> if is_mls_enabled == 1:
> if serange == "":
> @@ -1942,7 +1954,7 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> - self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
> + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", ctype, serange))
>
> def add(self, addr, mask, proto, serange, ctype):
> self.begin()
> @@ -1950,7 +1962,7 @@ class nodeRecords(semanageRecords):
> self.commit()
>
> def __modify(self, addr, mask, proto, serange, setype):
> - addr, mask, proto = self.validate(addr, mask, proto)
> + addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
> if serange == "" and setype == "":
> raise ValueError(_("Requires setype or serange"))
> @@ -1987,7 +1999,7 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> - self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
> + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", setype, serange))
>
> def modify(self, addr, mask, proto, serange, setype):
> self.begin()
> @@ -1995,8 +2007,7 @@ class nodeRecords(semanageRecords):
> self.commit()
>
> def __delete(self, addr, mask, proto):
> -
> - addr, mask, proto = self.validate(addr, mask, proto)
> + addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
> (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
> if rc < 0:
> @@ -2020,7 +2031,7 @@ class nodeRecords(semanageRecords):
>
> semanage_node_key_free(k)
>
> - self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
> + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, audit_proto))
>
> def delete(self, addr, mask, proto):
> self.begin()
> --
> 2.26.2
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] semanage: handle getprotobyname() failure case
2020-06-08 16:18 ` Stephen Smalley
@ 2020-06-22 12:22 ` Stephen Smalley
2020-06-25 17:30 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2020-06-22 12:22 UTC (permalink / raw)
To: Topi Miettinen, linux-audit; +Cc: SElinux list
On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> >
> > At least on Debian, /etc/protocols, which is used by
> > socket.getprotobyname() to resolve protocols to names, does not
> > contain an entry for "ipv4". In that case, set the protocol number
> > used by audit logs for "ipv4" to a fixed value. To ensure audit log
> > compatibility, let's use the same numeric value as Fedora: 4, which is
> > actually understood by kernel as IP over IP.
> >
> > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>
> This looks fine to me but adding linux-audit mailing list to see if
> they have any concerns. It appears to make no change to the audit
> messages on Fedora.
Seeing no objections from linux-audit,
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] semanage: handle getprotobyname() failure case
2020-06-22 12:22 ` Stephen Smalley
@ 2020-06-25 17:30 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2020-06-25 17:30 UTC (permalink / raw)
To: Topi Miettinen, linux-audit; +Cc: SElinux list
On Mon, Jun 22, 2020 at 8:22 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> > >
> > > At least on Debian, /etc/protocols, which is used by
> > > socket.getprotobyname() to resolve protocols to names, does not
> > > contain an entry for "ipv4". In that case, set the protocol number
> > > used by audit logs for "ipv4" to a fixed value. To ensure audit log
> > > compatibility, let's use the same numeric value as Fedora: 4, which is
> > > actually understood by kernel as IP over IP.
> > >
> > > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> >
> > This looks fine to me but adding linux-audit mailing list to see if
> > they have any concerns. It appears to make no change to the audit
> > messages on Fedora.
>
> Seeing no objections from linux-audit,
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Applied.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-06-25 17:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-05 8:19 [PATCH v2] semanage: handle getprotobyname() failure case Topi Miettinen
2020-06-08 16:18 ` Stephen Smalley
2020-06-22 12:22 ` Stephen Smalley
2020-06-25 17:30 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).